Strongswan 5.0.4 + certificate
Форум — Admin
Господа, прошу помощи, устал уже ковырять, не вижу причину. Может кто сталкивался. Описание системы и проблемы:
centos x86-64 обновленная
strongswan-5.0.4-4.el6.x86_64
openssl-1.0.0-27.el6_4.2.x86_64
Привожу конфиги и лог: cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
conn %default
left=me_external_static_ip
leftsubnet=0.0.0.0/0
leftcert=/etc/strongswan/ipsec.d/certs/server.XXX.by_key.pem
leftid="C=by, ST=Belarus, O=XXX.by, CN=XXX.by"
auto=add
conn IPSEC_NAT-T_eap
right=%any
rightsubnet=192.168.2.0/24
rightauth=eap-mschapv2
eap_identity=%any
auto=start
conn IPSEC_NAT-T_certs
right=%any
rightsourceip=10.0.7.40/27
auto=start
: RSA /etc/strongswan/ipsec.d/private/server.XXX.by_cert.pem "me_pass"
me_user : EAP "me_pass"
Sep 16 19:55:26 00[DMN] signal of type SIGINT received. Shutting down
Sep 16 19:55:28 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 2.6.32-358.18.1.el6.x86_64, x86_64)
Sep 16 19:55:28 00[LIB] plugin 'sqlite' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-sqlite.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] openssl FIPS mode(0) - disabled
Sep 16 19:55:28 00[LIB] plugin 'eap-radius' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-eap-radius.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'eap-tnc' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-eap-tnc.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnc-imc' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-imc.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnc-imv' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-imv.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnc-tnccs' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-tnccs.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnccs-20' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-20.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnccs-11' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-11.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnccs-dynamic' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-dynamic.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Sep 16 19:55:28 00[CFG] loaded ca certificate "C=by, ST=Belarus, L=Minsk, O=XXX.by, OU=XXX.by, CN=Root CA of XXX.by, E=admin@XXX.by" from '/etc/strongswan/ipsec.d/cacerts/XXX.by_CA_cert.pem'
Sep 16 19:55:28 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Sep 16 19:55:28 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Sep 16 19:55:28 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Sep 16 19:55:28 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Sep 16 19:55:28 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Sep 16 19:55:28 00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/server.XXX.by_key.pem'
Sep 16 19:55:28 00[CFG] loaded EAP secret for user
Sep 16 19:55:28 00[DMN] loaded plugins: charon curl aes des sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap dhcp
Sep 16 19:55:28 00[JOB] spawning 16 worker threads
Sep 16 19:55:28 09[CFG] received stroke: add connection 'IPSEC_NAT-T_eap'
Sep 16 19:55:28 09[CFG] loaded certificate "C=by, ST=Belarus, O=XXX.by, CN=XXX.by" from '/etc/strongswan/ipsec.d/certs/server.XXX.by_cert.pem'
Sep 16 19:55:28 09[CFG] added configuration 'IPSEC_NAT-T_eap'
Sep 16 19:55:28 12[CFG] received stroke: initiate 'IPSEC_NAT-T_eap'
Sep 16 19:55:28 12[IKE] unable to initiate to %any
Sep 16 19:55:28 12[MGR] tried to check-in and delete nonexisting IKE_SA
Sep 16 19:55:28 11[CFG] received stroke: add connection 'IPSEC_NAT-T_certs'
Sep 16 19:55:28 11[CFG] adding virtual IP address pool 10.0.7.40/27
Sep 16 19:55:28 11[CFG] loaded certificate "C=by, ST=Belarus, O=XXX.by, CN=XXX.by" from '/etc/strongswan/ipsec.d/certs/server.XXX.by_cert.pem'
Sep 16 19:55:28 11[CFG] added configuration 'IPSEC_NAT-T_certs'
Sep 16 19:55:28 15[CFG] received stroke: initiate 'IPSEC_NAT-T_certs'
Sep 16 19:55:28 15[IKE] unable to initiate to %any
Sep 16 19:55:28 15[MGR] tried to check-in and delete nonexisting IKE_SA
Sep 16 19:58:31 09[NET] received packet: from 93.125.67.53[500] to me_external_static_ip[500] (616 bytes)
Sep 16 19:58:31 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Sep 16 19:58:31 09[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
Sep 16 19:58:31 09[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Sep 16 19:58:31 09[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Sep 16 19:58:31 09[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Sep 16 19:58:31 09[IKE] 93.125.67.53 is initiating an IKE_SA
Sep 16 19:58:31 09[IKE] remote host is behind NAT
Sep 16 19:58:31 09[IKE] sending cert request for "C=by, ST=Belarus, L=Minsk, O=XXX.by, OU=XXX.by, CN=Root CA of XXX.by, E=admin@XXX.by"
Sep 16 19:58:31 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Sep 16 19:58:31 09[NET] sending packet: from me_external_static_ip[500] to 93.125.67.53[500] (333 bytes)
Sep 16 19:58:32 14[NET] received packet: from 93.125.67.53[4500] to me_external_static_ip[4500] (2268 bytes)
Sep 16 19:58:32 14[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ]
Sep 16 19:58:32 14[IKE] received cert request for "C=by, ST=Belarus, L=Minsk, O=XXX.by, OU=XXX.by, CN=Root CA of XXX.by, E=admin@XXX.by"
Sep 16 19:58:32 14[IKE] received 33 cert requests for an unknown ca
Sep 16 19:58:32 14[IKE] received end entity cert "C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by"
Sep 16 19:58:32 14[CFG] looking for peer configs matching me_external_static_ip[%any]...93.125.67.53[C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by]
Sep 16 19:58:32 14[CFG] selected peer config 'IPSEC_NAT-T_eap'
Sep 16 19:58:32 14[CFG] using certificate "C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by"
Sep 16 19:58:32 14[CFG] using trusted ca certificate "C=by, ST=Belarus, L=Minsk, O=XXX.by, OU=XXX.by, CN=Root CA of XXX.by, E=admin@XXX.by"
Sep 16 19:58:32 14[CFG] checking certificate status of "C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by"
Sep 16 19:58:32 14[CFG] certificate status is not available
Sep 16 19:58:32 14[CFG] reached self-signed root ca with a path length of 0
Sep 16 19:58:32 14[IKE] authentication of 'C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by' with RSA signature successful
Sep 16 19:58:32 14[CFG] constraint check failed: EAP identity '%any' required
Sep 16 19:58:32 14[CFG] selected peer config 'IPSEC_NAT-T_eap' inacceptable: non-matching authentication done
Sep 16 19:58:32 14[CFG] switching to peer config 'IPSEC_NAT-T_certs'
Sep 16 19:58:32 14[IKE] peer supports MOBIKE
Sep 16 19:58:32 14[IKE] authentication of 'C=by, ST=Belarus, O=XXX.by, CN=XXX.by' (myself) with RSA signature successful
Sep 16 19:58:32 14[IKE] IKE_SA IPSEC_NAT-T_certs[3] established between me_external_static_ip[C=by, ST=Belarus, O=XXX.by, CN=XXX.by]...93.125.67.53[C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by]
Sep 16 19:58:32 14[IKE] scheduling reauthentication in 10205s
Sep 16 19:58:32 14[IKE] maximum IKE_SA lifetime 10745s
Sep 16 19:58:32 14[IKE] sending end entity cert "C=by, ST=Belarus, O=XXX.by, CN=XXX.by"
Sep 16 19:58:32 14[IKE] peer requested virtual IP %any
Sep 16 19:58:32 14[CFG] assigning new lease to 'C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by'
Sep 16 19:58:32 14[IKE] assigning virtual IP 10.0.7.41 to peer 'C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by'
Sep 16 19:58:32 14[IKE] CHILD_SA IPSEC_NAT-T_certs{1} established with SPIs cbfb8f34_i 16ca58d8_o and TS 0.0.0.0/0 === 10.0.7.41/32
Sep 16 19:58:32 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS NBNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Sep 16 19:58:32 14[NET] sending packet: from me_external_static_ip[4500] to 93.125.67.53[4500] (1540 bytes)